pgbouncer 1.7 TLS verification issue. #104

Closed
solyony-igor opened this Issue Jan 25, 2016 · 9 comments

Comments

Projects
None yet
2 participants
@solyony-igor

It seems client_tls_sslmode = verify-ca didn't work as it should.
I still able to connect to database using plain TCP without any certificates with this option.

But from documentation:

verify-ca
Client must use TLS with valid client certificate.

@markokr markokr self-assigned this Jan 25, 2016

@markokr markokr added the bug label Jan 25, 2016

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 2, 2016

Contributor

Actually I cannot reproduce this. Are you using "sslmode=disable" in libpq connect string?

Could you show me config and psql command line that does this?

Contributor

markokr commented Feb 2, 2016

Actually I cannot reproduce this. Are you using "sslmode=disable" in libpq connect string?

Could you show me config and psql command line that does this?

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 2, 2016

Contributor

Could it be you can log in with TLS but without cert? I see that as possible.

Contributor

markokr commented Feb 2, 2016

Could it be you can log in with TLS but without cert? I see that as possible.

@solyony-igor

This comment has been minimized.

Show comment
Hide comment
@solyony-igor

solyony-igor Feb 3, 2016

I'm using connection string like this:
postgresql://user:password@pgbouncerhost:11432/database

In this case it use prefer mode:

prefer (default)
    first try an SSL connection; if that fails, try a non-SSL connection

But it should fail, when try to use non-SSL connection.

I'm using connection string like this:
postgresql://user:password@pgbouncerhost:11432/database

In this case it use prefer mode:

prefer (default)
    first try an SSL connection; if that fails, try a non-SSL connection

But it should fail, when try to use non-SSL connection.

@solyony-igor

This comment has been minimized.

Show comment
Hide comment
@solyony-igor

solyony-igor Feb 3, 2016

Also, please note, when I specify sslmode=disable it fails to connect,

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/test/venv/local/lib/python2.7/site-packages/psycopg2/__init__.py", line 164, in connect
    conn = _connect(dsn, connection_factory=connection_factory, async=async)
psycopg2.OperationalError: ERROR:  SSL required

but in case of default sslmode when I didn't specify certificates it work well, but it seems it shouldn't, because I must use TLS with valid certificates.

Also, please note, when I specify sslmode=disable it fails to connect,

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/test/venv/local/lib/python2.7/site-packages/psycopg2/__init__.py", line 164, in connect
    conn = _connect(dsn, connection_factory=connection_factory, async=async)
psycopg2.OperationalError: ERROR:  SSL required

but in case of default sslmode when I didn't specify certificates it work well, but it seems it shouldn't, because I must use TLS with valid certificates.

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 3, 2016

Contributor

At least libpq uses SSL if available by default. You need to explicitly disable it to get plain TCP connection.

Contributor

markokr commented Feb 3, 2016

At least libpq uses SSL if available by default. You need to explicitly disable it to get plain TCP connection.

@solyony-igor

This comment has been minimized.

Show comment
Hide comment
@solyony-igor

solyony-igor Feb 3, 2016

Okay, but why I was able to connect to database through pgboucer without certificates with client_tls_sslmode = verify-ca ?

Okay, but why I was able to connect to database through pgboucer without certificates with client_tls_sslmode = verify-ca ?

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 3, 2016

Contributor

Yeah, that is definitely weird. Please test commit (6eccac1) I just pushed out, does that fix it?

Contributor

markokr commented Feb 3, 2016

Yeah, that is definitely weird. Please test commit (6eccac1) I just pushed out, does that fix it?

@solyony-igor

This comment has been minimized.

Show comment
Hide comment
@solyony-igor

solyony-igor Feb 3, 2016

@markokr It seems now it works fine.
Will you update archive on page https://pgbouncer.github.io/downloads/ and if yes, what is estimate time?

@markokr It seems now it works fine.
Will you update archive on page https://pgbouncer.github.io/downloads/ and if yes, what is estimate time?

@markokr

This comment has been minimized.

Show comment
Hide comment
@markokr

markokr Feb 3, 2016

Contributor

Couple of weeks perhaps, depending how I have time.

I'd like to look into few other reported bugs as well.

Thank you for the report!

Contributor

markokr commented Feb 3, 2016

Couple of weeks perhaps, depending how I have time.

I'd like to look into few other reported bugs as well.

Thank you for the report!

@markokr markokr closed this Feb 3, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment